介绍 (Introduction)
TLS, or “transport layer security” — and its predecessor SSL — are protocols used to wrap normal traffic in a protected, encrypted wrapper. Using this technology, servers can safely send information to their clients without their messages being intercepted or read by an outside party.
TLS或“传输层安全性”(及其前身SSL )是用于将正常流量包装在受保护的加密包装器中的协议。 使用此技术,服务器可以安全地向其客户端发送信息,而不会被外界拦截或读取其消息。
In this guide, we will show you how to create and use a self-signed SSL certificate with the Apache web server on Ubuntu 20.04.
在本指南中,我们将向您展示如何在Ubuntu 20.04上的Apache Web服务器上创建和使用自签名SSL证书。
Note: A self-signed certificate will encrypt communication between your server and any clients. However, because it is not signed by any of the trusted certificate authorities included with web browsers and operating systems, users cannot use the certificate to validate the identity of your server automatically. As a result, your users will see a security error when visiting your site.
注意:自签名证书将加密服务器与任何客户端之间的通信。 但是,由于该证书未由Web浏览器和操作系统随附的任何受信任证书颁发机构签名,因此用户无法使用该证书来自动验证服务器的身份。 结果,您的用户在访问您的网站时将看到安全错误。
Because of this limitation, self-signed certificates are not appropriate for a production environment serving the public. They are typically used for testing, or for securing non-critical services used by a single user or a small group of users that can establish trust in the certificate’s validity through alternate communication channels.
由于此限制,自签名证书不适用于为公众服务的生产环境。 它们通常用于测试或保护单个用户或一小组用户使用的非关键服务,这些服务可以通过备用通信通道建立对证书有效性的信任。
For a more production-ready certificate solution, check out Let’s Encrypt, a free certificate authority. You can learn how to download and configure a Let’s Encrypt certificate in our How To Secure Apache with Let’s Encrypt on Ubuntu 20.04 tutorial.
有关更适合生产的证书解决方案,请查看免费的证书颁发机构Let's Encrypt 。 您可以在《 如何在Ubuntu 20.04上使用Let's Encrypt来保护Apache》中学习如何下载和配置Let's Encrypt证书。
先决条件 (Prerequisites)
Before starting this tutorial, you’ll need the following:
开始本教程之前,您需要满足以下条件:
Access to a Ubuntu 20.04 server with a non-root, sudo-enabled user. Our Initial Server Setup with Ubuntu 20.04 guide can show you how to create this account.
以非root用户 ,启用sudo的身份访问Ubuntu 20.04服务器。 我们的《 使用Ubuntu 20.04进行初始服务器设置》指南可以向您展示如何创建该帐户。
You will also need to have Apache installed. You can install Apache using
apt
. First, update the local package index to reflect the latest upstream changes:您还需要安装Apache。 您可以使用
apt
安装Apache。 首先,更新本地软件包索引以反映最新的上游更改:
- sudo apt update sudo apt更新
Then, install the apache2
package:
然后,安装apache2
软件包:
- sudo apt install apache2 须藤apt install apache2
And finally, if you have a ufw
firewall set up, open up the http
and https
ports:
最后,如果您设置了ufw
防火墙,请打开http
和https
端口:
- sudo ufw allow "Apache Full" sudo ufw允许“ Apache Full”
After these steps are complete, be sure you are logged in as your non-root user and continue with the tutorial.
完成这些步骤之后,请确保您以非root用户身份登录并继续学习本教程。
步骤1 —启用mod_ssl
(Step 1 — Enabling mod_ssl
)
Before we can use any SSL certificates, we first have to enable mod_ssl
, an Apache module that provides support for SSL encryption.
在使用任何 SSL证书之前,我们首先必须启用mod_ssl
,这是一个提供对SSL加密的支持的Apache模块。
Enable mod_ssl
with the a2enmod
command:
使用a2enmod
命令启用mod_ssl
:
- sudo a2enmod ssl 须藤a2enmod ssl
Restart Apache to activate the module:
重新启动Apache以激活该模块:
- sudo systemctl restart apache2 sudo systemctl重新启动apache2
The mod_ssl
module is now enabled and ready for use.
现在已启用mod_ssl
模块并可以使用。
第2步–创建SSL证书 (Step 2 – Creating the SSL Certificate)
Now that Apache is ready to use encryption, we can move on to generating a new SSL certificate. The certificate will store some basic information about your site, and will be accompanied by a key file that allows the server to securely handle encrypted data.
既然Apache可以使用加密了,那么我们可以继续生成新的SSL证书了。 该证书将存储有关您站点的一些基本信息,并附带一个密钥文件,该密钥文件允许服务器安全地处理加密的数据。
We can create the SSL key and certificate files with the openssl
command:
我们可以使用openssl
命令创建SSL密钥和证书文件:
- sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
After you enter the command, you will be taken to a prompt where you can enter information about your website. Before we go over that, let’s take a look at what is happening in the command we are issuing:
输入命令后,系统将提示您输入关于网站的信息。 在讨论之前,让我们看一下发出的命令中正在发生的事情:
openssl
: This is the command line tool for creating and managing OpenSSL certificates, keys, and other files.openssl
:这是用于创建和管理OpenSSL证书,密钥和其他文件的命令行工具。openssl
: This is the command line tool for creating and managing OpenSSL certificates, keys, and other files.openssl
:这是用于创建和管理OpenSSL证书,密钥和其他文件的命令行工具。req -x509
: This specifies that we want to use X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.req -x509
:这指定我们要使用X.509证书签名请求(CSR)管理。 X.509是SSL和TLS用于密钥和证书管理的公用密钥基础结构标准。-nodes
: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.-nodes
:这告诉OpenSSL跳过使用密码短语来保护我们的证书的选项。 我们需要Apache在服务器启动时能够在没有用户干预的情况下读取文件。 密码短语可以防止这种情况的发生,因为每次重新启动后我们都必须输入密码。-days 365
: This option sets the length of time that the certificate will be considered valid. We set it for one year here. Many modern browsers will reject any certificates that are valid for longer than one year.-days 365
:此选项设置证书被视为有效的时间长度。 我们在这里设置了一年。 许多现代的浏览器都会拒绝任何有效期超过一年的证书。-newkey rsa:2048
: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. Thersa:2048
portion tells it to make an RSA key that is 2048 bits long.-newkey rsa:2048
:这指定我们要同时生成一个新证书和一个新密钥。 我们没有在上一步中创建签名证书所需的密钥,因此我们需要将其与证书一起创建。rsa:2048
部分告诉它制作一个2048位长的RSA密钥。-keyout
: This line tells OpenSSL where to place the generated private key file that we are creating.-keyout
:此行告诉OpenSSL在何处放置我们正在创建的生成的私钥文件。-out
: This tells OpenSSL where to place the certificate that we are creating.-out
:这告诉OpenSSL在哪里放置我们要创建的证书。
Fill out the prompts appropriately. The most important line is the one that requests the Common Name
. You need to enter either the hostname you’ll use to access the server by, or the public IP of the server. It’s important that this field matches whatever you’ll put into your browser’s address bar to access the site, as a mismatch will cause more security errors.
适当填写提示。 最重要的一行是要求Common Name
那一行。 您需要输入用来访问服务器的主机名或服务器的公共IP。 请务必将该字段与您将要放入浏览器的地址栏中的任何内容进行匹配以访问该网站,因为不匹配会导致更多的安全错误。
The full list of prompts will look something like this:
完整的提示列表如下所示:
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Example
Locality Name (eg, city) [Default City]:Example
Organization Name (eg, company) [Default Company Ltd]:Example Inc
Organizational Unit Name (eg, section) []:Example Dept
Common Name (eg, your name or your server's hostname) []:your_domain_or_ip
Email Address []:webmaster@example.com
Both of the files you created will be placed in the appropriate subdirectories under /etc/ssl
.
您创建的两个文件都将放在/etc/ssl
下的相应子目录中。
Next we will update our Apache configuration to use the new certificate and key.
接下来,我们将更新我们的Apache配置以使用新的证书和密钥。
步骤3 –将Apache配置为使用SSL (Step 3 – Configuring Apache to Use SSL)
Now that we have our self-signed certificate and key available, we need to update our Apache configuration to use them. On Ubuntu, you can place new Apache configuration files (they must end in .conf
) into /etc/apache2/sites-available/
and they will be loaded the next time the Apache process is reloaded or restarted.
现在我们有了自签名证书和密钥,我们需要更新我们的Apache配置以使用它们。 在Ubuntu上,您可以将新的Apache配置文件(它们必须以.conf
结尾)放入/etc/apache2/sites-available/
,这些文件将在下次重新加载或重新启动Apache进程时加载。
For this tutorial we will create a new minimal configuration file. (If you already have an Apache <Virtualhost>
set up and just need to add SSL to it, you will likely need to copy over the configuration lines that start with SSL
, and switch the VirtualHost
port from 80
to 443
. We will take care of port 80
in the next step.)
在本教程中,我们将创建一个新的最小配置文件。 (如果你已经有了一个Apache <Virtualhost>
设置,只是需要SSL添加到它,你可能会需要与启动配置行复制了SSL
,并切换VirtualHost
的端口80
到443
,我们会照顾在下一步中使用端口80
)
Open a new file in the /etc/apache2/sites-available directory:
在/ etc / apache2 / sites-available目录中打开一个新文件:
sudo nano /etc/apache2/sites-available/your_domain_or_ip.conf
须藤纳米/ etc / apache2 / sites-available / your_domain_or_ip .conf
Paste in the following minimal VirtualHost configuration:
粘贴以下最小VirtualHost配置:
<VirtualHost *:443>
ServerName your_domain_or_ip
DocumentRoot /var/www/your_domain_or_ip
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>
Be sure to update the ServerName
line to however you intend to address your server. This can be a hostname, full domain name, or an IP address. Make sure whatever you choose matches the Common Name
you chose when making the certificate.
确保将ServerName
行更新为您要寻址的服务器。 这可以是主机名,完整域名或IP地址。 确保您选择的任何内容都与制作证书时选择的Common Name
相匹配。
The remaining lines specify a DocumentRoot
directory to serve files from, and the SSL options needed to point Apache to our newly-created certificate and key.
其余各行指定了用于提供文件来源的DocumentRoot
目录,以及将Apache指向我们新创建的证书和密钥所需的SSL选项。
Now let’s create our DocumentRoot
and put an HTML file in it just for testing purposes:
现在,让我们创建我们的DocumentRoot
并将HTML文件放进其中以用于测试:
sudo mkdir /var/www/your_domain_or_ip
须藤mkdir / var / www / your_domain_or_ip
Open a new index.html
file with your text editor:
使用文本编辑器打开一个新的index.html
文件:
sudo nano /var/www/your_domain_or_ip/index.html
须藤nano / var / www / your_domain_or_ip /index.html
Paste the following into the blank file:
将以下内容粘贴到空白文件中:
<h1>it worked!</h1>
This is not a full HTML file, of course, but browsers are lenient and it will be enough to verify our configuration.
当然,这不是完整HTML文件,但浏览器比较宽松,足以验证我们的配置。
Save and close the file Next, we need to enable the configuration file with the a2ensite
tool:
保存并关闭文件接下来,我们需要使用a2ensite
工具启用配置文件:
sudo a2ensite your_domain_or_ip.conf
须藤a2ensite your_domain_or_ip .conf
Next, let’s test for configuration errors:
接下来,让我们测试配置错误:
- sudo apache2ctl configtest 须藤apache2ctl configtest
If everything is successful, you will get a result that looks like this:
如果一切顺利,您将获得如下结果:
Output
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK
The first line is a message telling you that the ServerName
directive is not set globally. If you want to get rid of that message, you can set ServerName
to your server’s domain name or IP address in /etc/apache2/apache2.conf
. This is optional as the message will do no harm.
第一行是一条消息,告诉您ServerName
指令未全局设置。 如果要消除该消息,可以在/etc/apache2/apache2.conf
中将ServerName
设置为服务器的域名或IP地址。 这是可选的,因为该消息不会造成伤害。
If your output has Syntax OK
in it, your configuration file has no syntax errors. We can safely reload Apache to implement our changes:
如果您的输出中有“ Syntax OK
,则您的配置文件没有语法错误。 我们可以安全地重新加载Apache来实现我们的更改:
- sudo systemctl reload apache2 sudo systemctl重新加载apache2
Now load your site in a browser, being sure to use https://
at the beginning.
现在,在浏览器中加载您的网站,请确保在开始时使用https://
。
You should see an error. This is normal for a self-signed certificate! The browser is warning you that it can’t verify the identity of the server, because our certificate is not signed by any of its known certificate authorities. For testing purposes and personal use this can be fine. You should be able to click through to advanced or more information and choose to proceed.
您应该会看到一个错误。 对于自签名证书,这是正常的! 浏览器警告您无法验证服务器的身份,因为我们的证书未由其任何已知的证书颁发机构签名。 出于测试目的和个人使用,这可能很好。 您应该可以单击以查看高级或更多信息,然后选择继续。
After you do so, your browser will load the it worked!
message.
完成后,您的浏览器将加载it worked!
信息。
Note: if your browser doesn’t connect at all to the server, make sure your connection isn’t being blocked by a firewall. If you are using ufw
, the following commands will open ports 80
and 443
:
注意:如果您的浏览器根本没有连接到服务器,请确保您的连接没有被防火墙阻止。 如果使用ufw
,则以下命令将打开端口80
和443
:
- sudo ufw allow "Apache Full" sudo ufw允许“ Apache Full”
Next we will add another VirtualHost
section to our configuration to serve plain HTTP requests and redirect them to HTTPS.
接下来,我们将在我们的配置中添加另一个VirtualHost
部分,以处理纯HTTP请求并将其重定向到HTTPS。
步骤4 —将HTTP重定向到HTTPS (Step 4 — Redirecting HTTP to HTTPS)
Currently, our configuration will only respond to HTTPS requests on port 443
. It is good practice to also respond on port 80
, even if you want to force all traffic to be encrypted. Let’s set up a VirtualHost
to respond to these unencrypted requests and redirect them to HTTPS.
当前,我们的配置将仅响应端口443
上的HTTPS请求。 即使您要强制对所有流量进行加密,也要在端口80
上做出响应是一个好习惯。 让我们设置一个VirtualHost
来响应这些未加密的请求,并将它们重定向到HTTPS。
Open the same Apache configuration file we started in previous steps:
打开我们在前面的步骤中开始的相同的Apache配置文件:
sudo nano /etc/apache2/sites-available/your_domain_or_ip.conf
须藤纳米/ etc / apache2 / sites-available / your_domain_or_ip .conf
At the bottom, create another VirtualHost
block to match requests on port 80
. Use the ServerName
directive to again match your domain name or IP address. Then, use Redirect
to match any requests and send them to the SSL VirtualHost
. Make sure to include the trailing slash:
在底部,创建另一个VirtualHost
块以匹配端口80
上的请求。 使用ServerName
指令再次匹配您的域名或IP地址。 然后,使用Redirect
来匹配任何请求,并将其发送到SSL VirtualHost
。 确保包括斜杠:
<VirtualHost *:80>
ServerName your_domain_or_ip
Redirect / https://your_domain_or_ip/
</VirtualHost>
Save and close this file when you are finished, then test your configuration syntax again, and reload Apache:
完成后保存并关闭此文件,然后再次测试配置语法,然后重新加载Apache:
- sudo apachectl configtest 须藤apachectl configtest
- sudo systemctl reload apache2 sudo systemctl重新加载apache2
You can test the new redirect functionality by visiting your site with plain http://
in front of the address. You should be redirected to https://
automatically.
您可以通过使用地址前面的纯http://
访问站点来测试新的重定向功能。 您应该自动重定向到https://
。
结论 (Conclusion)
You have now configured Apache to serve encrypted requests using a self-signed SSL certificate, and to redirect unencrypted HTTP requests to HTTPS.
现在,您已配置Apache以使用自签名SSL证书来服务加密的请求,并将未加密的HTTP请求重定向到HTTPS。
If you are planning on using SSL for a public website, you should look into purchasing a domain name and using a widely supported certificate authority such as Let’s Encrypt.
如果您打算在公共网站上使用SSL,则应考虑购买域名并使用广泛支持的证书颁发机构,例如Let's Encrypt 。
For more information on using Let’s Encrypt with Apache, please read our How To Secure Apache with Let’s Encrypt on Ubuntu 20.04 tutorial.
有关在Apache上使用Let's Encrypt的更多信息,请阅读我们的《 如何在Ubuntu 20.04上使用Let's Encrypt 保护Apache》 。